Just wondering what you all think of Cloud and the inherant risks from a security prespective?

Is it really that insecure (I know alot depends on the hosting company's security) But would just like to hear everyones views on cloud.

Thanks

Charlie

If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.- Sun Tzu

Funny timing. I just got done speaking at FinCLOUD. According to all the cloud vendors their environments would put the NSA to shame and there are no, and never will be, any security issues. My quick points:

-don't fall for the entire "the cloud" concept where everything is treated the same. Find out exactly is going on. Is it a public cloud? Private cloud? Hybrid? Software/data/infratstructure/platform as a service? Every combination of those answers will result in different security pros and cons.

-example pros and cons for public could. (meaning a lot of the hardware and data is co-mingled at some point) Generally I see the infrastructure is "more" secure than many of the environments within my clients. They have more bodies and skills focused on hardening the systems and apps, controlling access, monitoring, etc. Downside? Lookup the recent whitepaper showing how researchers figured out how to own all of Amazon's web services. While cracking a major cloud provider might be difficult, all it takes is one breach to tank the whole thing. If I'm a hacker do you think I focus on breaking into 500 individual environments or do I break a single environment that has all their data. Low probability but huge impact.

-example pros and cons for private clouds. (meaning the systems/apps/data are generally dedicated to one customer often within their existing environment) You have far more control over your systems/apps/data because you know right where they are. In a public cloud your stuff could be scattered everywhere. You can monitor and audit at a more granular level. Downside? Private clouds tend to be very tied into the existing environment and therefore suffer a lot of the same problems. Perfect example: A vendor today was bragging how easy it was to roll out their private cloud product because they could simply roll all the existing active directory authentication right into their platform. I ask him nicely what security advantage that provided since I could pop one of their current systems, get AD admin rights, and then proceed to own their shiny new cloud. A rambling, stuttering 2 minutes later he kind gave up trying to come up with a good answer. I wasn't trying to screw with him, just demonstrate that bring a cloud solution directly into the current infrastructure created its own problems.

I didn't even get a chance to start talking though the attacks against CAs, TLS, etc that go to the heart of cloud infrastructure.

pseud0 wrote:Funny timing. I just got done speaking at FinCLOUD. According to all the cloud vendors their environments would put the NSA to shame and there are no, and never will be, any security issues. My quick points:

-don't fall for the entire "the cloud" concept where everything is treated the same. Find out exactly is going on. Is it a public cloud? Private cloud? Hybrid? Software/data/infratstructure/platform as a service? Every combination of those answers will result in different security pros and cons.

-example pros and cons for public could. (meaning a lot of the hardware and data is co-mingled at some point) Generally I see the infrastructure is "more" secure than many of the environments within my clients. They have more bodies and skills focused on hardening the systems and apps, controlling access, monitoring, etc. Downside? Lookup the recent whitepaper showing how researchers figured out how to own all of Amazon's web services. While cracking a major cloud provider might be difficult, all it takes is one breach to tank the whole thing. If I'm a hacker do you think I focus on breaking into 500 individual environments or do I break a single environment that has all their data. Low probability but huge impact.

-example pros and cons for private clouds. (meaning the systems/apps/data are generally dedicated to one customer often within their existing environment) You have far more control over your systems/apps/data because you know right where they are. In a public cloud your stuff could be scattered everywhere. You can monitor and audit at a more granular level. Downside? Private clouds tend to be very tied into the existing environment and therefore suffer a lot of the same problems. Perfect example: A vendor today was bragging how easy it was to roll out their private cloud product because they could simply roll all the existing active directory authentication right into their platform. I ask him nicely what security advantage that provided since I could pop one of their current systems, get AD admin rights, and then proceed to own their shiny new cloud. A rambling, stuttering 2 minutes later he kind gave up trying to come up with a good answer. I wasn't trying to screw with him, just demonstrate that bring a cloud solution directly into the current infrastructure created its own problems.

I didn't even get a chance to start talking though the attacks against CAs, TLS, etc that go to the heart of cloud infrastructure.

Thanks pseud0 for taking the time to answer. Your answer has given me some food for thought. Though not looking at getting cloud I have been reading up on it as its an up and coming thing. I just wanted some views from people in the know.

If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.- Sun Tzu